Top
Universal Plug ‘n’ Pwn! Pinkslipbot malware exploits UPnP to help it steal credentials – A N I T H
fade
21490
post-template-default,single,single-post,postid-21490,single-format-standard,eltd-core-1.1.1,flow child-child-ver-1.0.0,flow-ver-1.3.6,eltd-smooth-scroll,eltd-smooth-page-transitions,ajax,eltd-blog-installed,page-template-blog-standard,eltd-header-standard,eltd-fixed-on-scroll,eltd-default-mobile-header,eltd-sticky-up-mobile-header,eltd-dropdown-default,wpb-js-composer js-comp-ver-5.0.1,vc_responsive

Universal Plug ‘n’ Pwn! Pinkslipbot malware exploits UPnP to help it steal credentials

Universal Plug ‘n’ Pwn! Pinkslipbot malware exploits UPnP to help it steal credentials


A variant of Pinkslipbot is the first known malware to conduct attack campaigns using infected devices as HTTPS-based control servers.

The Pinkslipbot malware has been around since 2007. It comes equipped with keyloggers and other credential stealers to make off with U.S. users’ financial information. In fact, it steals over half a million user records each day.

To perpetrate this scale of data theft, Pinkslipbot, otherwise known as the Active Directory lockout-producing QakBot trojan, relies on a botnet of 500,000 infected machines. Each newly infected bot indirectly receives instructions from the malware’s real command-and-control (C&C). Two layers of defenses – infected machines serving as HTTPS proxies and additional HTTPS proxies
– funnel these commands down to bots, likely in an effort to conceal the real C&C servers’ IP addresses.

20170613 pinkslipbot 1

Layout of a typical Pinkslipbot control server. (Source: McAfee)

“As UPnP assumes local applications and devices are trustworthy, it offers no security protections and is prone to abuse by any infected machine on the network. We have observed multiple Pinkslipbot control server proxies hosted on separate computers on the same home network as well as what appears to be a public Wi-Fi hotspot,” explain researchers from McAfee.

Of course, not every infected machine receives the status of a control server proxy. It must meet multiple criteria.

First, it must have an IP address located in North America. Second, Pinkslipbot must verify the machine comes equipped with a high-speed web connection using Comcast’s Speed Test. Third, it must be capable of opening ports on Internet gateway devices using Universal Plug and Play (UPnP), a feature which factors into users’ Wi-Fi network security decisions.

Assuming an infected computer passes all these tests, Pinkslipbot looks for UPnP devices for the purpose of finding Internet gateway devices (IGD). The malware then creates port-forwarding rules on these devices before attempting to port-forward on 27 internal and external ports. If any transmission succeeds, it saves the port number and sends it back to the control server.

McAfee’s Sanchit Karve explains the ultimate intent of this activity:

“Based on this data, the malware author decides whether the infected machine can be used as a control server. Once an infected machine is selected, the ‘wgetexe’ control server command (more accurately, command 25 using control server protocol Version 14) is issued to the infected machine to download a Trojan binary as ‘tmp_{timestamp}.exe.’ This sample is responsible for the control server proxy communication…”

20170613 pinkslipbot 3

Disassembled code showing port mapping functionality. (Source: McAfee)

Pinkslipbot is unique in its usage of UPnP for port-forwarding. The only other malware known to use this technique is the dreaded Conficker worm.

But that’s not even the most unique part about this malware. If deemed viable, an infected machine receives a control server request from the real C&Cs. It then uses libcurl, a URL transfer library, to route all traffic to those servers using an additional proxy. These proxy control servers are based on HTTPS and generate new self-signed certificates for every connection. In turn, responses received from the real C&Cs are verified using a hardcoded RSA public key.

20170613 pinkslipbot 6

Server certificate generation code from Pinkslipbot. (Source: McAfee)

As of this writing, Pinkslipbot is the only known malware to use infected machines as HTTPS-based control servers.

UPnP allows devices on a network to connect with one another under the assumption they are to be trusted. As such, malware authors can abuse this functionality to dynamically infect machines on that network.

Users can best protect against threats like Pinkslipbot by disabling UPnP altogether.

About the author, David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire’s “The State of Security” blog, and Contributing Author to Carbonite.

Follow @DMBisson


Interested in being a guest contributor to this site like David Bisson? Check out our contributor guidelines.



Source link

Anith Gopal
No Comments

Post a Comment